[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [F11, SELinux] What is mls?



On Tue, 2009-07-07 at 13:48 +0100, Marko Vojinovic wrote:
> Hello folks!
> 
> On this freshly installed F11 machine (from the KDE Live CD) I often
> get selinux alerts similar to the one below. It's not just openvpn,
> but also mv (dhcpc_t) and ifconfig (ifconfig_t). I don't feel anything
> to be non-functional (aside from openvpn, but that's a different
> problem), but these alerts are confusing to me. I did a yum list
> selinux* and it replied with:
> 
> Installed Packages
> selinux-policy.noarch
> selinux-policy-targeted.noarch
> Available Packages
> selinux-doc.noarch
> selinux-policy-doc.noarch
> selinux-policy-minimum.noarch
> selinux-policy-mls.noarch
> 
> Here I can see that selinux-policy-mls is not installed, while all the
> alerts are related to mls. yum info selinux-policy-mls gives the
> description "SELinux Reference policy mls base module" which is not
> very informative (for me).
> 
> So, five questions:
> 1) what is mls?
> 2) is installing selinux-policy-mls going to help with these alerts?
> 3) if yes, why wasn't it installed automatically?
> 4) is any of this actually related to the alerts I get?
> 5) are the alerts important, or is it safe to ignore them?

You can ignore, and I think they are silenced by a policy update.
A libselinux constructor probes for /selinux/mls to initialize internal
state used later by the library functions, and unfortunately all of the
net-tools are getting linked against libselinux now just because of
netstat -Z support.  No, you don't need selinux-policy-mls.

There is a patch pending for libselinux that will make such probing
happen lazily and thus avoid such denials.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]